DPA for infrastructure provisioning

In DPA version 1.0.0, plug-and-play templates for infrastructure-provisioning pipelines are available. These templates follow DevOps best practices, such as built-in security controls, automated deployments, versioning, and artifact management.

This section describes how to use DPA to implement centralized pipeline templates for infrastructure as code (IaC) tools. DPA supports widely used IaC tools, such as Terraform, AWS CDK, and CloudFormation. These templates are readily consumable with CI/CD services and tools, such as AWS CodePipeline and GitLab CI/CD.

The following image shows the DPA architecture for infrastructure provisioning. You use the CI/CD pipeline templates to provision infrastructure by using Terraform, CodePipeline, and AWS CDK.

The following image shows a reference pipeline for a Terraform-based application, which consumes the Terraform entry point. At the end of the post-deploy stage, the code enters a release pipeline for deployment to staging and production environments.

Note the following when using DPA for infrastructure provisioning:

• The type of events that occur in a repository affect the pipeline construction. For example, pull requests don't provision resources to the AWS Cloud. However, when a pull request merges into the main branch, the pipeline provisions the resources to the AWS Cloud.

• The pipeline uses security scanning tools, such as tfsec, Checkov, and Terrascan to apply security controls before Terraform pipeline proceeds for deployment. For CloudFormation, the pipeline also uses cfn_nag and cfn-lint. For AWS CDK, the pipeline also uses cdk-nag.

• DPA creates a dedicated Docker image and hosts it on an Amazon ECR repository. These Docker images contain tools, such as the Terraform CLI, AWS CLI, and AWS CDK Toolkit. The pipeline uses these tools during runtime, regardless of which CI/CD solution you choose.